CVE-2021-33335 — Incorrect Authorization in Portal

CWE-863 — Incorrect Authorization CWE-269 — Improper Privilege Management4 documents4 sources

Severity

7.2HIGHNVD

EPSS

0.6%

top 29.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Portal Liferay Digital Experience Platform

Timeline

PublishedAug 3

Latest updateMay 24

Description

Privilege escalation vulnerability in Liferay Portal 7.0.3 through 7.3.4, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 9 allows remote authenticated users with permission to update/edit users to take over a company administrator user account by editing the company administrator user.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

▶NVDliferay/liferay_portal7.0.3 — 7.3.5

▶NVDliferay/digital_experience_platform7.1, 7.2+1

Patches

Patch: issues.liferay.com ↗Patch: issues.liferay.com ↗

🔴Vulnerability Details

GHSA

Liferay Portal and Liferay DXP Has Company Administrator Accounts Vulnerable to Takeovers↗2022-05-24

▶

OSV

Liferay Portal and Liferay DXP Has Company Administrator Accounts Vulnerable to Takeovers↗2022-05-24

▶

CVEList

CVE-2021-33335: Privilege escalation vulnerability in Liferay Portal 7↗2021-08-03

▶